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Quantum key distribution protocols typically make use of a one-way quantum channel to distribute 
a shared secret string to two distant users. However, protocols exploiting a two-way quantum 
channel have been proposed as an alternative route to the same goal, with the potential advantage 
of outperforming one-way protocols. In this paper we provide a strategy to prove security for 
two-way quantum key distribution protocols against the most general quantum attack possible by 
an eavesdropper. We apply this method to prove the security of two important examples of such 
protocols. In our analysis we utilize an entropic uncertainty relation, which results in partially 
device-independent security, where only a few assumptions need to be made about the devices used 
in the protocol. We also show that a two-way protocol can outperform comparable one-way protocols 
in some scenarios. 
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INTRODUCTION 

Quantum key distribution (QKD) research has been 
primarily focused on one-way protocols: one party, Alice, 
prepares states, sends them through an insecure quantum 
channel, and then another party, Bob, does a measure- 
ment [l|, Q. However, in the last decade two-way pro- 
tocols have been proposed, where Bob prepares states, 
sends them to Alice through an insecure quantum chan- 
nel, Alice does an encoding on the states, sends them 
backwards through the same quantum channel and then 
Bob performs a measurement [3rtZ[ . Paradigmatic exam- 
ples of these kind of protocols are the so-called "Ping- 
Pong" protocol @ and the LM05 protocol 0- The 
former uses entangled states, while the latter uses non- 
orthogonal states. They have also been experimentally 
realized [8-ll|. 

It is not yet clear what the full potential of two-way 
protocols is, but there are at least several reasons why 
they are interesting. One motivation is that some two- 
way protocols are deterministic, that is, they do not re- 
quire any sifting of the raw keys generated due to a mis- 
match of basis choices. For example, the LM05 protocol 
Q has this advantage. The Ping-Pon g pr otocol, which 
is based on super dense coding (SDC) [13], has no basis 
choices, and therefore is also deterministic. Moreover, 
this protocol is conceptually interesting, as SDC may be 
used for QKD. 

One implementation of two-way protocols is to use po- 
larization encoding of photons in fibre optics. The polar- 
ization drift caused by the fiber then needs to be actively 
corrected 13-15}. However, if signals are sent backwards 
through the same channel, then the polarization drift is 
passively corrected by the use of a Faraday mirror at Al- 
ice's side. One implementation of QKD exploiting this 
fact is the "Plug & Play" BB84 protocol [la E3]- 



A major difficulty when studying the security of two- 
way protocols is that the eavesdropper, Eve, can attack 
each signal twice: once on the way from Bob to Alice, 
and later on its way back from Alice to Bob. This gives 
her more strategies than in a one-way QKD protocol. 
In fact, the Ping-Pong protocol has been shown to be 
while recently the LM05 protocol was 
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proven secure, but by assuming the use of qubits and the 
full characterization of all of the devices [2fj|. | 2l|. A lso, 
the Plug & Play protocol was proven secure [22|, |23[ but 
by using strong assumptions (e.g. an intensity monitor, 
phase randomizer, and attenuator are required, and all 
devices, except the source, are fully characterized). 

Unlike previous approaches, we propose a general se- 
curity proof strategy through which we get partial de- 
vice independence. Partial device independence refers 
to the scenario where devices used in the protocol only 
need to be characterized by a few assumptions. For ex- 
ample, a device would only be characterized by a sin- 
gle constant, such as the maximum overlap between two 
measurement's POVM elements. This is in contrast to 
device-independent security proofs where no assumptions 
are made about devices used in the protocol. However, 
they require loophole free Bell tests, which are not possi- 
ble with current technology 2J-|26[. We achieve partial 
device independence by using an entropic uncertainty re- 
lation, which was proposed as a powerful tool for security 
proofs of one-way protocols 27j ■ A generalization of this 
uncertainty relation [28| has also been used to prove se- 
curity of QKD in the finite-key regime [29| . 

In our proof strategy we show how to purify prepare 
and measure protocols into entanglement based proto- 
cols. An entanglement based or purified protocol is one 
where Eve prepares a state, sends a part of the state 
to Alice and another part to Bob, and then Alice and 
Bob perform measurements. In this purified picture we 
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can apply the uncertainty relation of [27|. The uncer- 
tainty relation states that given a tri-partite quantum 
state pabe and two measurements on system A, Fx and 
Fz, described by elements of a Positive Operator Val- 
ued Measure (POVM) {F i x } l and {F%}i with classical 
outcomes X and Z respectively, then 

H(Z\B)+H{X\E)>\oglh, (1) 

where H (A\B) is the conditional von Neumann entropy, 
and 7 := maxjj H-Fx-^zlloo (which we call the overlap 
between the measurements Fx and Fz). Given an op- 
erator F acting on a Hilbert space T-L such that F > 0, 
then HFlloo := max{(<p\F\<p) : <j> e U,{(j)\(j)) = 1} is the 
operator norm on positive operators. Using this uncer- 
tainty relation and the Devctak- Winter security bound 
[30l |. we demonstrate how to prove security against the 
most general type of attacks for two-way protocols. 

We use this method to prove security for two example 
protocols: a super dense coding (SDC) protocol similar 
to the Ping-Pong protocol and a protocol similar to 
LM05 (which we will also refer to as LM05) Q ■ For the 
LM05 protocol we show an improvement on the key rate 
of po| . Furthermore, we provide a comparison among 
relevant two-way and one-way protocols showing that the 
former can outperform the latter. 

Our proof clarifies the analysis of two-way QKD pro- 
tocols and provides an important step towards device- 
independent security of quantum cryptography in this 
framework. In addition, our results illustrate that that 
the uncertainty relation Eq. [T] can be useful to prove se- 
curity of QKD protocols other than BB84. 

We proceed by first defining the SDC and LM05 proto- 
cols in the scenario where only qubits are used. Second, 
we describe purified versions of these protocols in order 
apply the uncertainty relation Eq. [TJ Third, we prove 
their security. Lastly, we detail the assumptions that are 
needed for the application of this security proof to imple- 
mentations of these protocols. We also compare the key 
rates to different implementations of the BB84 protocol. 

PROTOCOL DEFINITIONS 

In the descriptions of the SDC and LM05 protocols be- 
low we assume that the states are deterministically pre- 
pared and all other devices are completely characterized. 
This is for the ease of describing the protocols and this 
assumption will not be necessary for the security proof. 

There are some similarities between both protocols: 
they have two quantum channels between Alice and Bob, 
Qi and Q2, which can be attacked by the eavesdropper, 
Eve, using any attack allowed by quantum mechanics. 
Also, Alice and Bob will be performing some X- and Z- 
basis measurements. These refer to the projections onto 
the eigenvectors of the Pauli operators ax and oz re- 
spectively. In addition, Alice and Bob will do parameter 



estimation, error correction and privacy amplification on 
their strings after the steps outlined below. They abort 
either protocol if during parameter estimation they find 
that one of their relevant error rates is beyond a certain 
threshold. 

Qubit SDC protocol 

Bob's preparation: Bob prepares a maximally en- 
tangled state \tp+) = 1/V2(|00> + |11)) and keeps one 
half of it in a quantum memory. He sends the other half 
to Alice through channel Q\ (see Fig. QJ. 

Alice: With probability c w 1 Alice applies one of 
the four Pauli operators 1 , ax, cry , oz (choosing each 
with probability 1/4) to the state from the channel 
Q\. She records her choice by storing two classical bits: 
00, 10, 11,01, respectivly. Alice then sends this state into 
channel Q2 back to Bob. With probability 1 — c Alice 
measures the state from channel Q± in the Z-basis. She 
then prepares |+) with probability 1/2 or |— ) with prob- 
ability 1/2, where |±) := 1/V2(|0) ± |1)), and sends it 
into channel Q2 to Bob. 

Bob's measurement: With probability c Bob per- 
forms a Bell measurement jointly on his stored qubit and 
his received qubit from the channel Q2- He gets possible 
outcomes \i>~), \4> + ), \<P~), and then will store the 

bits 00, 01, 10, 11 respectively. With probability 1 — c he 
measures his stored qubit in the Z-basis and his received 
qubit in the A-basis. 

Post-processing: Alice and Bob repeat the above 
procedure N times. Alice and Bob's raw key is the con- 
catenation of all of their two-bit strings together respec- 
tively. Alice publicly announces which signals she en- 
coded and which signals she measured. 

Qubit LM05 protocol 

In the LM05 protocol Alice and Bob will have the 
choice to perform either an X- or Z-basis measurement. 
We use a parameter p to denote the probability that Al- 
ice and Bob choose the Z-basis, so 1 — p is the probabil- 
ity that they choose the X-basis. We will consider two 
possible versions of the protocol for the simplicity of pre- 
sentation. Version 1 is when pal, and Alice and Bob 
will only use their A-basis measurement for parameter 
estimation (see Fig. [2]). Version 2 is when p = 1/2 and 
then they will use both X- and Z-basis measurements for 
parameter estimation and key generation. Note that the 
choice of p will not affect the key rate 

Bob's preparation: Bob prepares one of the four 
states |0), |1), |+), |— ). He chooses |0) or |1) each with 
probability p/2, and |+) or |— ) each with probability 
(1 —p)/2. When he picks either |0) or |+) he classically 
stores a 0, when he picks either |1) or |— ), he stores a 
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FIG. 1. The ideal qubit SDC protocol. Bob prepares the 
Bell state \ip + ), and keeps half of it in a quantum memory. 
He sends the other half to Alice who either does an encoding 
(with probability c, solid line) or does a Z-basis measurement 
which indicates whether she prepares |+) or |— } (with prob- 
ability 1 — c, dashed line). Alice sends this state to Bob who 
does a Bell measurement with his stored qubit and the qubit 
from Alice (with probability c, solid line) or does a Z<g>X-basis 
measurement (with probability 1 — c, dashed line) . 



1 (we refer to this bit as the preparation bit). Bob also 
stores the basis the state is in. He sends the state to 
Alice through channel Q±. 

Alice: With probability c « 1 Alice applies one of 
l,(Tx,oy,crz (choosing each with probability 1/4) to the 
state from the channel Q±. She records her choice of 
encoding. With probability 1 — c she applies a A-basis 
measurement (Version 1), or randomly chooses either an 
X- or Z-basis measurement (Version 2). Alice then takes 
the post-measurement state (when a measurement was 
performed) or the encoded state (where a Pauli-operator 
was applied) and sends it to Bob through channel Q 2 - 

Bob's measurement: Bob does a measurement in 
the same basis he prepared his state in: if he prepared 
|0) or |1) then he measures in the Z-basis, if he prepared 
|+) or |— ) then he measures in the A-basis. 

Post-processing: Alice and Bob repeat this proce- 
dure N times. If they perform reverse reconciliation, then 
Bob publicly reveals which basis he used for each signal, 
and Alice reveals which signals she measured and which 
she encoded. In Version 2 Alice also reveals which basis 
she measured in for each signal and then Alice and Bob 
discard their measurement results wherever they mea- 
sure in different bases. Bob's raw key is the result of 
the XOR of his measurement outcomes with his prepa- 
ration bits. Alice's raw key is made up of one of the two 
classical bits 00, 10, 11, 01 corresponding to the encodings 
1 , ax , ay , a z , respectively. Whenever Bob measured in 
the Z -basis, Alice keeps her first bit, and when Bob mea- 
sured in the A-basis Alice keeps the second bit. 

In direct reconciliation, Bob does not reveal his ba- 
sis choice and instead Alice reveals whether she applied 



one of the encodings from the set Sq := {l,<7y} or the 
set Si := {ax,az}- Alice would correspond the encod- 
ings 1, ax , oy , <jz with the bits 0,1,1,0 respectively. Bob 
would then need to flip his raw bit for each signal that 
he used the A-basis and Alice announces she applied an 
encoding from S\ . 
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FIG. 2. Version 1 of the ideal qubit LM05 protocol. Bob 
prepares one of the four BB84 states and sends it Alice. Alice 
performs an encoding (with probability c, solid line), or a 
measurement in the V-basis followed by the sending of the 
post-measurement state (with probability 1 — c, dashed line). 
Bob performs a measurement in the Z- or V-basis whenever 
he prepared states in the Z- or X-basis respectively. Bob 
then does an XOR of his measured bit and his preparation 
bit corresponding to his prepared state. 



We now purify these two prepare and measure QKD 
protocols by showing they are equivalent to protocols 
that start with entangled states followed by measure- 
ments by Alice and Bob. 



PURIFIED PROTOCOLS 

We introduce two purified protocols that are struc- 
tured such that a pure state is shared between Alice, 
Bob, and Eve; and then Alice and Bob perform measure- 
ments on this state. These purified protocols are equiv- 
alent to the two prepare and measure protocols listed 
above. However, less assumptions are needed about the 
devices used, including the size of the Hilbcrt spaces in- 
volved in the protocol. In the next section we will prove 
security of these purified protocols, and afterward we will 
discuss the necessary assumptions about the devices in 
the prepare and measure protocols in order to apply our 
security proof. 

We start by showing how Alice's encoding in both pro- 
tocols is equivalent to a measurement on half of a pure 
state and the encoding's input. Then, for both protocols, 
we show an equivalence between preparations and a bi- 
partite pure state followed by a measurement on half of it. 
In the LM05 protocol Alice cannot do her measurement 
such that the post-measurement state is preserved in a 
practical way. Instead, she will need to do a preparation 
to send the appropriate state. 
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We can purify Alice's encoding operation in both pro- 
tocols by finding an equivalence to a POVM acting on 
the input of the encoding and half of a pure state such 
that the other half of the pure state is the same as the 
output from Alice's encoding (see Fig. 3). In addition, 
the outcome of the POVM is two random bits indepen- 
dent of the input, and therefore is the same as Alice's 
choice of encoding operation using a random string. We 
use the following lemma to achieve this equivalence. 

For the lemma we define the set of normalized positive 
semi-definite operators on a Hilbcrt space H: S(H) := 
{t e V{H) : Tr(r) = 1}), where V(H) is the set of 
positive semi-definite operators on H. 

Lemma 1. Let {£i}i=i.. n be a set ofn completely positive 
trace-preserving maps from Hilbert space T-La to Hilbert 
space Hd and o\d € S(Hd) be a fixed density operator 
on T-Ld such that ^/nJ2i=i^i(pA) = ctd V/ja € S(Ha)- 

Then there exists a fixed pure state \4>)cd in Hcd '■= 
"He ®T~Ld, where dim He = dim^D, and a complete set 
of POVM elements {F\ c } i=1 .. n on Hac (so T,i F AC = 
1ac)> such that\/i,\/pA € S(Ha) we have 

uTtac (FXcPa <8 \<t>)cD{<f>\) = £i{p A ). (2) 
Input 




FIG. 3. A depiction of Lemma 1. An encoding that takes a 
quantum state and a random string, which is used to choose 
which encoding to perform, as input always outputs a fixed 
state (averaged over all encoding choices). This encoding 
is equivalent to the scenario where a measurement, F, acts 
jointly on the same quantum state input as the encoding and 
half of a bipartite pure state \cj>). The output of the measure- 
ment is a random string, and the other half of \<j>) is then the 
same fixed state output from the encoding, averaged over all 
measurement outcomes of F. 

In the prepare and measure protocol there were four 
encodings that Alice could do, and therefore n = 4 for 
the application of this lemma to both protocols. Now 
the encoding is purified, we purify all of the preparations 
done in both protocols. 

In the perfect qubit versions of the protocols, Alice and 
Bob's preparations are equivalent to starting with a max- 
imally entangled state \ip+) = 1/V2(|00) + 1 11) ) followed 
by a Z- or A-basis measurement (or probabilistic distri- 
bution over the choice of the two measurements). More 



generally, if we only assume that the preparations are of 
qubits (and are not exactly the preferred states in the 
protocol descriptions above) then they are equivalent to 
the maximally entangled state |?/' + ), followed by a mea- 
surement on one of the two qubits. The non- measured 
qubit is then the same as the prepared qubit pij . 

It only makes Eve more powerful to prepare both en- 
tangled states from Alice's encoding and from the pu- 
rifications of the preparations, so we can let her prepare 
these states. 

Now both protocols can be described as follows. Eve 
prepares a state pabe and sends A to Alice and B to 
Bob, and keeps part E. Alice and Bob perform one of two 
measurements on each of their systems. Then Alice and 
Bob do post-processing as in the prepare and measure 
protocol. We can now prove the security of these purified 
protocols. 

SECURITY PROOFS 

The security proofs of the purified protocols can be 
found via the Devetak- Winter rate [3(|, followed by the 
application of the uncertainty relation of Eq. Q] [22| ■ 

SDC Protocol 

First we will define some states that will be useful for 
the security proof. 

The state that Alice, Bob, and Eve share after Alice 
and Bob have done their measurements is 

tz a z b e = F A ® F b {pabe), (3) 

where Za and Zb are the classical strings that result 
from Alice and Bob's measurements, Fa and Fg, which 
are represented as completely positive trace preserving 
(CPTP) maps. We assume that the measurements Fa 
and Fb act independently on each signal, so that we can 
apply the uncertainty relation to each measurement inde- 
pendently. The measurement's POVM elements have the 
form {®j F % i}i and {<g) j where i = iii 2 h ■■■■ We 

also define another state, £, where we just change Alice's 
measurement. This state has the important property 
that H(Zb\E) t = H(Zb\E)^. Intuitively, this means 
that Eve's information about Bob's string does not de- 
pend on Alice's measurement. The state £ is defined as 

£,x a z b e = G A ® Fb(pabe), (4) 

where Xa is the classical string output from the mea- 
surement Ga on Alice's side. We do not characterize Ga- 
However, we do require that the POVM elements of Ga 
are independent, and therefore have the form {(£)j 
We now define a third state that will be used for the 
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application of the uncertainty relation |27j : 

&x a x b e = Ga <8> Gb{pabe), (5) 

where Gb have POVM elements of the form G % B ^\i 
and its classical output is denoted as Xb- In addition, 
the only characterization we make for any of the mea- 
surements is that the overlap between Gb and Fg is 
max ii ||F#G?^|| 2 00 = l/4Vfc. 

If Alice and Bob do one-way classical communication 
for the post-processing after the protocol from Alice to 
Bob, and Bob's measurement outcomes are used as the 
raw key (which we call reverse reconciliation), then we 
can write the Devetak- Winter rate [3(| as 

r>H{Z B \E) T -H(Z B \Z A ) T (6) 

>H{Z B \E\-hi{q F ) (7) 

>2-H(X B \X A ) a -h 4 (q F ) (8) 

> 2 - hi{q G ) - hi(q F ), (9) 

where /14 is the quaternary entropy function (i.e. the 
Shannon entropy of a four outcome probability distri- 
bution), q F is the error rate probability distribution gen- 
erated from Za and Zb-, and qc is the error rate proba- 
bility distribution generated from Xa and Xb- Specifi- 
cally, these error rate probability distributions consist of 
the probability that both bits are the same, both bits 
are different, only the first bit is different, and only the 
second bit is different. 

In going from Eq. [6] to Eq. [7] we use the fact that 
H(Zb\E) t = H(Zb\E)^ and we upper bound the en- 
tropy H(Zb\Za)t by hi{q F ) by using the method of 
types [3l| . From Eq. [7] to Eq. [8] we use the uncertainty 
relation Eq. [T] with the measurements Fb and Gb ■ In 
Eq. [9] we use the method of types to bound H(Xb\Xa)<j 
by h 4 (q G ). 

Alice and Bob estimate the error rates q G and q F by 
revealing Xa and Xb as well as a small fraction of their 
Za and Zb strings in jointly specified positions chosen 
uniformly at random. Alice and Bob have access to these 
strings in the prepare and measure SDC protocol because 
Bob actually performs F B and Gb (these are the Bell 
and Z ® Admeasurements in the perfect qubit scenario 
respectively); Alice uses her encoding bits (which cor- 
respond to her string Za in the purified protocol via 
Lemma 1); and her measurement and her resending of 
the post-measurement state correspond to Xa- 

We have permutation invariance of the two-bit out- 
comes and so we can apply the quantum de Finetti theo- 
rem of Renner [32[ to the protocol. Therefore the key rate 
Eq. [9] is applicable for the most general type of attacks 
by Eve. 

Due to the symmetry of the purified protocol, we could 
equivalently do direct reconciliation, where Alice uses her 
classical string as the key and Bob corrects his raw string. 
In this case the key rate is the same. 



LM05 Protocol 

The security proof of this protocol follows the same 
method as the proof for the SDC protocol, however, there 
are two differences that need to be taken into account. 
The first is that Bob chooses a different basis for each of 
his individual inputs from the channel Q2 according to a 
classical string, 9. When a bit of 6 is 0, Bob will measure 
in the Z-basis, and when a bit of is 1, Bob will mea- 
sure in the A-basis. The other difference is that there are 
two different measurements that have the desired overlap 
with Bob's measurement Fb in the uncertainty relation 
Eq. [TJ In the perfect purified protocol, Bob's measure- 
ment is a Z £g) Z-basis measurement followed by an XOR 
of the two measurement outcomes. Note that this mea- 
surement only has a one bit outcome, and therefore the 
minimum overlap it can have with another measurement 
is 1/2. The Z <S> Z measurement with an XOR has two 
measurements with overlap 1/2, as can be easily verified: 
measuring the first qubit in the A-basis and discarding 
the second qubit or measuring the second qubit in the 
A-basis and discarding the first qubit. 

Now we define three states as we did in the SDC proto- 
col's security proof. We consider the case where reverse 
reconciliation is performed and we discuss the case of di- 
rect reconciliation at the end of this section. The state 
that Alice and Bob share after they have done their mea- 
surements, Bob has publicly announced his basis choices, 
and Alice has done the sifting of her encoding bits is 

TW A W B E = J2 F A® F B(pAB E )®\Q){e\. (10) 

e 

The classical outcomes of the measurements for Alice and 
Bob are written as Wa and Wb respectively. We assume 
that F^ and F® have POVM elements that are inde- 
pendent on each signal so that the uncertainty relation 
can be applied to each individual measurement. They 
have the form {(g),. F%' j > \, and {®, F®' j > },. where 

j = hhh ■■■■ 

For the second state, we change Alice's measurement 
to be G A ' 1 , which has classical outcome V\, and i g {0, 1} 
is a bit denoting two different measurements Alice could 
choose. As with the SDC protocol, we do not specify the 
measurements G®'\ However, we do require that G®' 1 
has POVM elements that are independent, so they have 
the form {(g) fe G®' 4Jfc }.,. This gives the state 

ZvxwbE = E °a 1 ® f b(Pabe) ® |6)(0|. (11) 
e 

Now we can also define another state (which we'll use for 
the uncertainty relation), where we change the measure- 
ment on Bob's side to be G®'\ That is 

<lv B E = E G a 1 ® G^\ P abe) ® |6)(6|. (12) 
e 
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The measurement G®' 1 has classical outcome V B . 
The measurement G®' 1 acts independently on each 
signal, and so its POVM elements have the form 
{&>k ^ k }j- In addition, F B and G®' 1 must satisfy 
max,-, \\F^G e /^\\1 = 1/2 Vi,J. 

We can now consider the Devetak- Winter rate [30|: 

r > H(W B \EQ) T - H(W B \W A Q) T (13) 

> H{W B \EQ) T - H{W b \W a )t (14) 

> H(W B \E8)? -h{q F ) (15) 
>l-H(V B \V\) a ,-h(q F ) (16) 

> 1 - h(q & ) - h(q F ). (17) 

The error rates q G i arc generated from V\ and V B , and q^? 
is generated from Wa and Wb. Also, the binary entropy 
is defined as h(q) := q log 2 q + (1 — q) log 2 (l — q). 

From Eq. [T2] to Eq. Q3] we use the data processing 
inequality on the second term to trace out O. From 
Eq. [Hto Eq. [15] we use the fact that H(W B \E&) T = 
H(Wb\EQ)^ , as well as the method of types to bound 
the entropy H(Wb\Wa) by h(q F ) [3l|. In going from 
Eq. Qjj] to Eq. [16] we apply the uncertainty relation Eq. []] 
using the overlap of 1/2 between the measurements Gg 1 
and F B . In the last line, Eq. [T7] we use the method of 
types to bound H(V B \V B ) a i by h{q G i). Since Eqs.rjjto 
Eq. [17] hold for i = or i = 1 we can choose which lower 
bound on the rate r we would like to use. We would like 
to have a high lower bound and therefore we pick the 
minimum of the two binary entropies: 



r > 1 — min h{q G i) — h(q F ). 



(18) 



To estimate the error rates q G i and q F for Version 1 of the 
LM05 protocol, Alice and Bob reveal V\ and V B as well 
as a small fraction of their Wa and Wb strings in jointly 
specified positions chosen uniformly at random. In Ver- 
sion 2, Alice and Bob reveal a small fraction of both their 
V strings and W strings in jointly specified uniformly 
random positions. Alice and Bob have access to these 
strings in the prepare and measure LM05 protocol be- 
cause V% is the string of Alice's measurement outcomes 
and V B is the string of Bob's preparation bits, while V\ 
is the string of Alice's preparation bits (i.e. from her 
post-measurement state) and V B is the string of Bob's 
measurement outcomes before doing his XOR. Wa and 
Wb come from Alice's encoding bit (see Lemma 1), and 
Bob's XOR of his measurement outcomes and prepara- 
tion bits. In both versions, the resulting key rate is the 
same. 

It is important to note that since there is a minimiza- 
tion in Eq. [18] Alice can choose to either not do a mea- 
surement or not do a preparation and then the key rate 
loses the minimization, and instead she just uses the er- 
ror rate that is estimated (g^i in the former choice and 
q G a in the latter). 



Also, we have permutation invariance of the outcomes 
and so we can apply the quantum de Finetti theorem of 
32j to this protocol. Therefore the key rate Eq. fTS] is 
applicable for the most general type of attacks by Eve. 

In addition, we could have chosen to do direct recon- 
ciliation instead of reverse reconciliation. In this case, 
the string 6 would represent Alice's choice of encoding 
from the set So or Si. The proof continues in a similar 
manner and so the resulting key rate is the same. 



ASSUMPTIONS 

We can now outline which assumptions arc needed 
about the devices in the prepare and measure protocol as 
well as compare these protocols with the BB84 protocol. 
First, the assumptions necessary to purify the prepare 
and measure protocols are the following: 

1. The states prepared are qubits. This assumption 
can be avoided if instead states are prepared by the 
preparation of a bipartite state with a measurement 
on one half of it, while sending the other half into 
the appropriate channel. 

2. The output state of Alice's encoding operation is 
independent of the input state, averaged over all 
encodings. 

3. Measurements detect each signal independently. 
This means the POVM elements have an i.i.d. 
form. 

4. The probability that Alice and Bob detect signals 
is independent of their basis choices. This avoids 
the kind of blinding attacks of 3^, 34[ . 



5. Bob's devices (when reverse reconciliation is per- 
formed) or Alice's devices (when direct reconcili- 
ation is performed) are characterized by a single 
constant, 7. 

Given these assumptions on the devices, the two prepare 
and measure protocols are equivalent to the purified pro- 
tocols in the security proofs above. Also, in practical 
applications, not all measurements have only two oup- 
tuts (e.g. double clicks in optical implementations of X- 
or Z-basis measurements). In this case, any extra out- 
come should be assigned each with probability 1/2 to 
or 1. We do not analyze the effect of losses here, although 
they could be taken into account, as in J29|. 

For the SDC protocol, when reverse reconciliation is 
performed, the overlap between Bob's two measurements 
is assumed to be 1/4 (which is true for the ideal Bell 
and Z <S) X-basis measurements). For the LM05 proto- 
col, where Bob's preparations are done with a bi-partite 
state and a measurement, we assume that there are two 
measurements that have an overlap of 1/2 with Bob's 
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measurements followed by an XOR of the outcomes. The 
first is his measurement on half of his prepared pure state 
in the other basis and the second is his measurement in 
the other basis on channel Q2 ■ Note that this over- 
lap occurs between the ideal Z ® Z-basis measurement 
followed by an XOR of the outcomes and the X-basis 
measurement on his prepared pure state and his X-basis 
measurement on the input from channel Q2- In the case 
of direct reconciliation, this assumption changes to the 
overlap between Alice's POVM associated with her en- 
coding (via Lemma 1) and her measurement tcnsorcd 
with her purified preparation measurement. More gen- 
erally, we can relax the assumption that these overlaps 
are exactly 1/4 and 1/2 for the SDC and LM05 protocols 
respectively. This would result in lower constant terms 
in the key rates Eqs. ISlandlTSl 

It is important to note that no assumptions are neces- 
sary about the Hilbert space that the signals of the proto- 
cols are in (except possibly qubit preparations) . In addi- 
tion, no assumptions need to be made about the internal 
structure of the measurements on each signal, prepara- 
tions of bipartite states, or the quantum memory used in 
the SDC protocol. 

COMPARISON WITH BB84 

If we set the quantum channels to be fixed resources, 
then we can use two BB84 protocol implementations to 
compare with the SDC and LM05 protocols. The first is 
two one-way BB84 protocols (with an asymmetric basis 
choice so that basis sifting is negligible in the infinite key 
limit). The second is the Plug & Play version of BB84 
using strong laser pulses (see [2j and references therein). 
Note that Plug & Play BB84 does not have the same level 
of security as one-way BB84 [H [H], LM05 or SDC, as 
the devices need to be characterized. 

If we model the two channels as depolarizing indepen- 
dent identical channels [H, 0, [Tl| then we see the key rates 
of Fig. [4] The error rate plotted is the probability of hav- 
ing a state be depolarized when sending a signal through 
one of the channels. If instead the same channel is used 
for communication from Alice to Bob and Bob to Alice, 
with the polarization drift on the forward channel par- 
tially corrected by going back through the same channel 
[35I ] , then the key rates follow Fig. [5l Importantly, the 
SDC protocol key rate exceeds both BB84 key rates in 
this scenario, and it can also tolerate a higher error rate. 



Independent Channels 
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FIG. 4. Log base 10 of the key rates vs. an error rate (i.e. the 
probability of having a state depolarized) for uncorrelated in- 
dependent identical depolarizing channels (color online) . The 
plotted key rates are: Two copies of the one-way BB84 pro- 
tocol (blue, solid), SDC protocol (green, dashed), LM05 pro- 
tocol (cyan, dot dashed), Plug & Play protocol (red, dotted). 



Correlated Channels 
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FIG. 5. Log base 10 of the key rates vs. the error rate (i.e. 
the probability of having a state depolarized) in one channel, 
where the channels are correlated such that the error rate 
through each channel is the same as the error rate through 
one channel (color online). In this case the LM05 protocol and 
Plug & Play BB84 perform the same, while the SDC protocol 
outperforms both BB84 implementations. The plotted key 
rates are: Two copies of the one-way BB84 protocol (blue, 
solid), SDC protocol (green, dashed), LM05 protocol (cyan, 
dot dashed), Plug & Play protocol (red, dotted). 



CONCLUSION 

We have shown a general method to prove security 
of two-way QKD protocols. We have applied this proof 
method to two such protocols, namely one based on super 
dense coding (SDC), and another based on a previously 



proposed two-way protocol (LM05) Q. These two proto- 
cols are secure against the most general types of attacks 
by an eavesdropper and provide the following key rates: 

SDC: r S DC >2- h 4 (q G ) - h 4 (q F ) 
LM05: tla/05 > 1 — minj h(qa*) - h(qp). 
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Importantly, few assumptions are needed about the de- 
vices used. This is a step towards device independence 
for two-way QKD protocols. We make the following as- 
sumptions to apply our security proof: preparations are 
done in a purified way (i.e. a bi-partite state is prepared 
and half of it is measured, while the other half is used 
as the preparation), Alice's encoding output is a fixed 
state, measurements are done independently on each sig- 
nal, and a fixed overlap constant characterizes either Bob 
or Alice's devices (depending on whether reverse or di- 
rect reconciliation is performed). The first assumption 
can instead be the assumption that qubits are prepared. 

We have shown that these protocols have comparable 
performance to different implementations of the BB84 
protocol, and can even exceed the BB84 rate in certain 
relevant parameter regimes. Also, the key rate we obtain 
for the LM05 protocol is higher than that of [2(J . 

An advantage that the LM05 protocol has, which is 
not apparent in the infinite key limit, is that there are 
a higher fraction of key bits per signal sent compared to 
the BB84 and SDC protocols. If the basis bias for BB84 
and the SDC protocol used for parameter estimation is 
p, then 2p(l — p) fraction of the raw key is lost due to 
basis sifting. However, in the LM05 protocol, if c is the 
probability that Alice does her measurement, and c is 
the probability that Alice and Bob use the Z-basis, then 
only 2p(l —p)(l — c) fraction of the raw key is lost. This 
advantage would have a positive effect on the finite-key 
rate. We did not evaluate the finite-key regime here, but 
the techniques of [28| could be used to show security for 
two-way protocols. We leave this as future work. 
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APPENDIX 



Here we include the proof of Lemma 1 from the main 
text. It establishes an equivalence between a POVM act- 
ing on half of a pure state and a CPTP map of a partic- 
ular form. 



Lemma 1 (POVM equivalent to a CPTP map). 

Let {£i}i=i.. n be a set of n completely positive trace- 
preserving maps from Hilbert space T-La to Hilbert space 
%£> and o~d be a fixed density operator on'H.u such that 

1 / n J2"=l^t(PA) = <?D V/9A 6 S{% A )- 

Then there exists a fixed pure state \4>)cd in 'H-cd '■= 
He ®T~Ld, where dim He = dim^D; and a complete set 
of POVM elements {F\ c } l=1 .. n on Uac {so J2i F AC = 
Iac), such that\fi,\/pA € S(Ha) we have 



hTtac \F\cPa 



/CD 



(20) 



Proof. Summing over i in Eq. [20] implies that we require 
Tvc(\<fr) CD (4>\)=°~d , and therefore we fix \4>)cd to be a 
purification of ojj. Now we can constructively determine 
what the POVM elements F AC are in terms of od and 
the maps £i. Then we will show that this construction 
of the POVM satisfies all necessary requirements above. 

Let o~d = T,j^j\j)D(j\, so then \ip) C D = 
Ylj v\j\jj)cD- Expanding pa in an orthonormal ba- 
sis {\tp m )}m gives p A = J2mi r ™i Hm) A{i>l\, which allows 



us to write Eq. [20] as 

^2 n TrAC {FAC r ml\ll> m } a{M ® y/\j\k\jj)cD{kk\ 



jkrnl 



2J nr m ly/ XjXk (Ac(tplk\FAc\^mj) AC'\j) 
jkml 

J2 r mlWm)A(lpl\)- (21) 



n i / 



This must be true for all pA and therefore we have V m, I 
]T n W^^i k\F AC \ Vw) \j)D(k\= £i (\ip m ) (ipl I ) , 

jk 



n^J \ ] X k {i'ik\FAc\ipmj) = (j\£i{\^m}(tjJi\)\k} Vm,l,j,k. 

(22) 

Eq. [22] gives a constructive way of finding the POVM 
elements F\ c . If od has full rank then F AC is com- 
pletely determined by this equation. If od is not of full 
rank then F AC can be decomposed into a part on the 
support of o~c '■= Tr£i(|(/))c£)((/)|) and its kernel: F AC = 



F 



ac b , 



iF 



AC korno 



The block on the suppec is com- 
pletely specified by Eq. [HI and the block on kerncrc can 
be chosen arbitrarily as long as F ACk > 0, for all i 

and satisfy J^i F AC = lyic korn „ ■ It is clear from 

Eq. E2 that Y.iFicZZa = ^c s S c - 

Now we need to verify that the POVM elements satisfy 
F\c > for all i. We write the maps in their Choi- 



Jamiolkowski representation 3^, 33] 



SflVmM^il) = Ti-a(Jad(\^)a(H) T ® Id) (23) 
= (^Md^i), (24) 

where J\d are ^ ne Choi- Jamiolkowski matrices for the 
maps £i. Now we can write F^ 

1 1 



from Eq. 



as 



F 



AC S , 



n Joe 



(Jac? 



IOC 



(25) 



where J\ c := Y,jk\j)cD{i\J A D\k) Dc{k\- From this 
form it is clear that this block is positive, and so F AC > 
for all i. □ 



